Covid-19 - Homeworkers and Protecting your Business

As the current crisis has evolved, it’s become clear that homeworking is likely to remain the preferred advice for months to come, there are numerous stories of how businesses have benefitted, add to that the related economic and ecological benefits of meetings by zoom (especially client meetings), it’s safe to forecast that the landscape has changed permanently. Please see the offer of free support towards the end of the article.

 So whilst this article is written from a Data Protection/GDPR angle, bar a couple of areas, the contents are more of a common sense approach to protecting your business generally.

 1. Approach

Within the privacy sector we work from a basis of Risk & Policy. Without understanding risks and their implications, it’s difficult to prioritise and action safeguards. By updating or creating a policy document around home working and using their own devices (where necessary and appropriate) you provide your staff with clearly written instruction on working from home, which essentially involves a large element of trust, and probably processing a lot of data that is very sensitive for your business (and your clients).

 2. Assess

Understanding the risk involves consideration of a variety of factors – the type of data (especially if you process special category formerly called sensitive data), whether employees are using their own devices and if so who has access to these devices? the method of connection (is it secure)? what do staff do if they cause or encounter a breach? Are the devices secure (patching/updates, virus protection etc), what controls exist around saving data (could it be unnecessarily replicated? Is it stored locally?), dependent on your existing practices and policies if you are changing the way of working, it is likely a risk assessment in the form of a DPIA (data protection impact assessment) should be completed.

 3. Engage the experts

The obvious area will be IT (whether internally or externally supported), however HR, data protection, cyber experts may also be involved. Our sector we always encourages us to defer to experts in the relevant fields and best demonstrated via your IT partner/department being most likely to be most aware of the industry best practices and new developments. Obviously, I’m going to advise that your data protection expert (internal/consultant) is key to this for the same reasons. Also speak to the people who are most likely to be aware of any issues, your staff. These people will be expected to follow the policies, and are the people who can provide the most valuable insight to what actually happens. Your HR expert (alongside GDPR consultants) can also advise around how to handle staff health data, especially if you are planning to monitor staff of Covid infection. It’s a complicated area of law that differs from country to country*. Your marketing team may want to re-assure clients about their data being accessed in a home working environment.

4. Update/Create Policies

Using the guidance from these experts, update or create the relevant policies, ensuring they are designed to be easy to follow. Don’t forget about related policies (Breach policy? Business Continuity Plan, Access Control, Data collection etc) – do your staff know who to contact in the event of a breach? The immediate aftermath of any breach is the critical time to minimise the impact.

5. Training

Once policies have been updated, it is essential to ensure staff understand what is required, any change in practice is likely to require explanation and more important employee buy-in. It may be advisable to find a sponsor within each team; video conferences offer an ideal vehicle to train staff. Training should be regular and supported with reminders, whether that be regular emails or visual reminders to place in and around the working environment.

6. Processors

It will be important to check any businesses who process on your behalf (processors) have implemented the relevant checks and policies. GDPR places the responsibility on you to ensure your processors are treating personal data securely and you should have a written agreement for processing of personal data.

 7. Related Privacy Issues

The crisis doesn’t mean you can forget about other GDPR related obligations. Whilst the regulator (ICO) action doesn’t often make the front page, please don’t imagine it isn’t happening, there are numerous examples of action against small businesses. Additionally, having the ICO lean over your shoulder isn’t recommended or invited. Reputation is likely to be a bigger risk to your business than any potential fines. You will need to ensure you respond to Subject Access Requests and any other requests relating to subject rights in a timely manner. This may involve a further change in your policy documents and shouldn’t be forgotten.

If you need any help around policies, risk assessments or anything GDPR related, I’m here to help. I’m also offering a free zoom consultation around making sure your Privacy Notice is fit for purpose and answer any data protection related questions you have. Your Privacy Notice tells the whole world how (and if) you have a considered approach to data protection .

 The above is not designed to make you compliant (by any stretch), but to reduce the unquestioned risk attached to having a workforce working from home whether in part or in a majority.

 * I have an infographic created by an International law firm around employee health data if required